Parts 1 and 2 happened in succession in November two years ago: the open redirection services of Google and AOL were used by spammers to trick unknowing email recipients into clicking links which led them to different websites. This sequel’s celebrity is Yahoo!:
Figures 1 & 2. Sample spam.
The above sample spammed messages contain links with the string search.yahoo.com, which may convince users to think the site is legitimate or trusted. They are led to sites (an example is shown below) which, true enough, sell replica watches and other cheap products.
Figure 3. This website offers cheap replica watches.
These sites have been created just this month, and they share a single IP address. Similar to the old Google and AOL incidents, spammers took advantage of open redirection functionalities, which is used by search engines to redirect users to target websites automatically. Users need to just enter a URL or string that is predictably related, even if not exactly, to the site they are looking for and they are immediately led to it without having to see a results page.
The links given in the email messages in this attack look like Yahoo! itself yielded the results, but spammers were able to fiddle through search results and obfuscate the URLs to add credibility to the sites they are advertising.
Given the two-year time difference between the earlier two spamming operations and this current one, it seems clear that this technique still works for spammers. Other than adding site credibility, spammed messages are also able to evade filters because the links inside them appear legitimate. This kind of search engine exploitation is considered to be blackhat SEO (Search Engine Optimization) practice.
The timing of this run may also be related to the upcoming Valentine’s Day as more users are expected to purchase presents online. The malware family WALEDAC was first to take advantage of this said event, sending fake ecards that led to malware.
The Trend Micro Smart Protection Network already blocks these spammed messages.